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KEY DISTRIBUTION IN A CONDITIONAL ACCESS SYSTEM 



2 FIFI J) OF INVENTION 

3 The present invention relates to a conditional access system, more particularly to a 

4 key distribution method and apparatus in a conditional access (CA) system. 

5 RArrettOUNP ART 

6 A CA system is vital to a cable/satellite pay-TV broadcaster, and the most important 

7 part in a CA system is how to add legal users (paid users) into the system and remove 

8 illegal users from the system dynamically. The basic architecture of a CA system is EMM 
(entitlement management message), ECM (entitlement control message), CW (control 
word), Stream. As shown in Figure 1, an operator (transmitting side) broadcasts EMM 
and ECM to each legal user through network broadcasting, the EMM contains a message 

12 to be transferred to each user (receiving side) and this message contains an entitlement 

13 key (i.e. media key, MK) needed by the user. Each user's device filters the EMM when 

14 receiving it, and upon obtaining the message to be transferred to the user in the EMM, the 
message is decrypted by using a user key (distributed to the user by way of smart card or 
other means) obtained in advance from the operator so as to obtain the entitlement key 
therein, then the entitlement key is used to decrypt ECM to obtain CW that is used to 
encrypt video streams (e.g. MPEG-2). Thus, legal users can watch an encrypted video 
program by using the entitlement key dynamically distributed to them by the operator, 

20 while unpaid users (illegal users) can not watch the encrypted video program due to not 

2 1 obtaining the entitlement key. 

22 In this CA system, EMMs play an important role for distributing the entitlement 

23 key. But unfortunately, the length of EMM is quite long in most CA systems. Generally, 
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the length is proportional to the number of users within the CA system, which may grow 
tremendously in a large system. Because of its length, more bandwidth may be taken to 
broadcast EMMs, and sometimes, users have to turn on their set-top boxes in order to 

ive EMMs. Since TS stream of MPEG-2 allows to combine many code streams 
together, EMM and ECM are transferred together with video streams instead of being 
transferred through a single channel. Also, EMM varies once a month while ECM varies 

7 once per ten seconds, so the bandwidth occupied when they are transmitted can severely 

8 influence the receiving and viewing of video programs. This situation causes some 

9 services like PPV (Pay Per View), IPPV (Impulsive Pay Per View) and Near-VOD quite 
inconvenient. For example, in a traditional CA system with 10,000 users, if 1% users 
(100 users) want to leave the system, the system has to send to each user among the left 
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12 9,900 users an EMM containing information of each user, notifying them to change their 

13 group and the original entitlement keys they own. Thus it will occupy a large amount of 



14 



bandwidth to broadcast these notifications, thereby wasting a lot of resources. 



15 STTMMARY OF INVENTION 

16 In order to solve the above-mentioned problems, the object of the present invention 



is to provide a key distribution method and apparatus in a conditional access system. The 
method is dividing legal users into various groups according to a certain condition, and 
distributing identical user keys to the users within the same group, therefore a plurality of 
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20 users can use the identical user keys to obtain the entitlement keys. 

21 In order to achieve the above object, the present invention provides a key 

22 distribution method in a conditional access system, assuming that the set of all user nodes 

23 which the system can accommodate is a complete set, and a subset is composed of all or 



rt of the user nodes, comprising the steps of: decomposing said subset into at least one 
25 secondary subset; distributing a different user key to each secondary subset, each said 
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1 user key being transmitted to all users in a corresponding secondary subset; encrypting an 

2 entitlement key by using each said user key so as to generate a cipher text corresponding 

3 to each said secondary subset; and combining said cipher text to generate a media key 

4 control block. 

5 The present invention also provides an apparatus for key distribution in a 

6 conditional access system, assuming that the set of all user nodes which the system can 

7 accommodate is a complete set, and a subset is composed of all or part of the user nodes, 

8 said apparatus comprising: a decomposing unit for decomposing said subset into at least 

9 one secondary subset, and distributing a different user key to each secondary subset, each 

10 said user key being transmitted to all users in a corresponding secondary subset; a 

1 1 generating unit for encrypting an entitlement key by using each said user key so as to 

12 generate each cipher text corresponding to each said secondary subset; a combining unit 

13 for combining said cipher text to generate a media key control block; and an entitlement 

14 control means for controlling the corresponding operation of each said unit and outputting 

15 said media key control block. 



16 RHIFF DESCKIPTTON OF DRAWINGS 

17 The above and other objects and advantages of the present invention will become 

1 8 more apparent by further describing the present invention with reference to the 

1 9 embodiments and accompanying drawings, in which: 

20 Fig. 1 is a schematic diagram of the transmitting side and receiving side in a 

21 conventional conditional access system; 

22 Fig. 2 shows the structure of a key distribution apparatus used in a conditional 

23 access system according to the present invention; 
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1 Fig. 3 is a flowchart of a key distribution used in a conditional access system 

2 according to the present invention; 

3 Fig. 4 is a structural diagram of a video program transmitting apparatus used in a 

4 conditional access system according to an embodiment of the present invention; 

5 Fig. 5 is a structural diagram of a video program receiving apparatus used in a 

6 conditional access system according to an embodiment of the present invention; 

7 Fig. 6 is a structural diagram of a video program transmitting apparatus used in a 

8 conditional access system according to another embodiment of the present invention; 

9 Fig. 7 is a structural diagram of a video program receiving apparatus used in a 

1 0 conditional access system according to another embodiment of the present invention; 

1 1 Fig. 8 is diagram showing an example of an n-level binary tree algorithm; and 

12 Fig. 9 is diagram further showing an example of an n-level binary tree algorithm. 

13 DESCRIPTION OF THE INVENTION 

14 The present invention provides key distribution methods and apparatus in a 



1 5 conditional access system. An example method of the present invention, divides legal 

16 users into various groups according to a certain condition, and distributes identical user 

1 7 keys to the users within the same group, therefore a plurality of users can use the identical 

1 8 user keys to obtain the entitlement keys. 



19 In an example embodiment, the present invention provides a key distribution 

20 method in a conditional access system, assuming that the set of all user nodes which the 

21 system can accommodate is a complete set, and a subset is composed of all or part of the 

22 user nodes, comprising the steps of: decomposing said subset into at least one secondary 

23 subset; distributing a different user key to each secondary subset, each said user key being 

24 transmitted to all users in a corresponding secondary subset; encrypting an entitlement 
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1 key by using each said user key so as to generate a cipher text corresponding to each said 

2 secondary subset; and combining said cipher text to generate a media key control block. 

3 Wherein a binary tree algorithm is used to decompose said subset into said at least one 

4 secondary subset. 

5 The present invention also provides an apparatus embodiment for key distribution 

6 in a conditional access system, assuming that the set of all user nodes which the system 

7 can accommodate is a complete set, and a subset is composed of all or part of the user 

8 nodes, said apparatus comprising: a decomposing unit for decomposing said subset into at 

9 least one secondary subset, and distributing a different user key to each secondary subset, 

1 0 each said user key being transmitted to all users in a corresponding secondary subset; a 

1 1 generating unit for encrypting an entitlement key by using each said user key so as to 

12 generate each cipher text corresponding to each said secondary subset; a combining unit 

1 3 for combining said cipher text to generate a media key control block; and an entitlement 

1 4 control means for controlling the corresponding operation of each said unit and outputting 

1 5 said media key control block. 

1 6 The present invention also provides an embodiment of a transmitting apparatus in a 

1 7 conditional access system, assuming that the set of all user nodes which the system can 

1 8 accommodate is a complete set, and a subset is composed of all or part of the user nodes, 

1 9 comprising: a decomposing unit for decomposing said subset into at least one secondary 

20 subset, and distributing a different user key to each secondary subset, each said user key 

2 1 being transmitted to all users in a corresponding secondary subset; a generating unit for 

22 encrypting an entitlement key using each said user key so as to generate a cipher text 

23 corresponding to each said secondary subset; a combining unit for combining said cipher 

24 text to generate a media key control block; a program scrambling unit for scrambling a 

25 video program by using said entitlement key; a transmitting unit for transmitting the 

26 scrambled video program and said media key control block to a receiving apparatus; and 
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1 an entitlement control means for controlling the corresponding operation of each of said 

2 units and outputting said media key control block to said transmitting unit. 

3 The present invention also provides an embodiment for a receiving apparatus in a 

4 conditional access system, assuming that the set of all user nodes which the system can 

5 accommodate is a complete set, and a subset is composed of all or part of the user nodes, 

6 comprising: a receiving unit for receiving the scrambled video program and a media key 

7 control block transmitted from a transmitting apparatus; a resolving unit for decrypting a 

8 cipher text by using a user key so as to obtain an entitlement key, wherein said cipher text 

9 is obtained by identifying said media key block using the user key corresponding to the 

10 secondary subset to which said receiving apparatus belongs, and said secondary subset is 

1 1 obtained by decomposing said subset; and a program descrambling unit for decrypting 

1 2 said scrambled video program by using said entitlement key. 

13 Since the present invention uses a binary tree classification method, a plurality of 

14 users in the same group can share a message to obtain entitlement keys, thereby reducing 

1 5 the amount of the information (length) of the EMM (MKCB in the present invention) for 

16 distributing the entitlement keys, and making the length of MKCB greatly less than that 

17 of the conventional linear management, especially in the case of user leaving from the 

18 system. So the present invention can save the large amount of bandwidth occupied when 

19 broadcasting EMM, i.e. saving a lot of network resources. 



20 The present invention will be described in detail hereinafter in connection with the 

21 drawings and specific embodiments. 

22 Definition and feature of media kev co ntrol block fMKCB) 

23 The MKCB method of the present invention can be used to implement a EMM 

24 layer in a CA system. 
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1 Let the complete set I be the set of all users or devices (nodes) (i.e. all the users that 

2 the system can accommodate), and let S be a subset of I, representing registered legal 

3 users (e.g. paid users). In the present invention, a binary algorithm (which will be 

4 described in more detail below) is used to decompose subset S into a plurality of 

5 secondary subsets Dl , D2. . . ., Dn, and different user keys are assigned to the secondary 

6 subsets, and the users in each secondary subset have the same user keys. Then entitlement 

7 keys are encrypted into cipher texts El, E2, , En by using various different user keys, 

8 the above cipher texts are combined to generate the media key control block of the 

9 present invention, MKCB(S, MK), the entitlement key (MK) in the MKCB(S, MK) can 

10 be used to encrypt the control word (CW) of a specific video program into ECM, and the 

11 CW is used to encrypt the above video program. Certainly, the above video program can 

12 also be encrypted by using directly the entitlement key (MK), in this case no control word 

1 3 is needed to encrypt the video program. 

14 In the implementing method of MKCB, a ternary tree algorithm or a multiple tree 

1 5 algorithm can also be used to decompose subset S into a plurality of subsets. In the 

16 embodiment of the present invention, MKCB is implemented by using a binary tree 

17 algorithm, which will be described in detail below. When this binary tree algorithm is 

1 8 used to implement MKCB, because of changing traditional linear management for users 

19 into grouping management, the length of MCKB is not linear to the increase of the 

20 number of users in subset S and is very short in most cases. 

21 Apparatus and method for gener a ting and distributing MKCB in a CA system 

22 Figure 2 is a structural diagram of a key distribution apparatus 1 in a CA system 

23 according to the present invention. 

24 As shown in Figure 2, the key distribution apparatus 1 used in a CA system in the 

25 present invention comprises: a decomposing unit 102 for decomposing the subset S into 
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1 at least a secondary subset Di, and assigning different user keys Ki to each secondary 

2 subset, each user key Ki is transmitted to all the users in the secondary subset 

3 corresponding to the key (e.g., by way of a master card or other means); a generating unit 

4 1 04 for using each user key Ki to encrypt an entitlement key (MK) so as to generate each 

5 cipher text Ei corresponding to each secondary subset; a combining unit 1 06 for 

6 combining each cipher text Ei to generate a media key control block MKCB; and an 

7 entitlement control device 1 08 for controlling the corresponding operations of the 

8 above-mentioned units and outputting said media key control block. In addition, the 

9 entitlement control device 1 08 may also be used to manage user information, that is, to 

1 0 incorporate other user management information to be transmitted to users by an operator 

1 1 into the media key control block (MKCB). 

1 2 The decomposing unit 1 02 uses a binary tree algorithm to decompose the subset S 

13 into a plurality of secondary subsets Dl, D2, .. ., Dn, assigns different user keys to the 

1 4 plurality of secondary subsets Dl , D2, . . ., Dn, encrypts said entitlement keys by using 

1 5 said user keys, and combines the cipher texts El , E2, . . ., En obtained after encrypting 

1 6 entitlement keys, so as to generate the media key control block of present invention, 

17 MKCB={El,E2,...,En}. 

1 8 The above-mentioned key distribution apparatus of the present invention can 

1 9 transmit the media key control block MKCB in an unidirectional channel of the CA 

20 system of video/audio broadcast, and conduct unidirectional management to each user 

2 1 node. In addition, in the present invention, the plurality of secondary subsets Dl, D2, 

22 Dn divided through a binary tree method by decomposing unit 1 02 can be maintained 

23 unchanged in the future usage after being determined when the system is established 

24 (except that the system needs to be changed, e.g. the capacity of the system is changed). 

25 Thus the heavy workload brought about by conducting dynamic management is avoided, 
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1 and the large amount of network bandwidth needed for conducting dynamic interactive 

2 management is also saved. 

3 The MKCB can be broadcast to legal users before a specific program begins, and 

4 can also be broadcast together with the program. Due to its short length, its broadcast 

5 time and manner are very flexible. 

6 Figure 3 is a work flowchart of the key distribution apparatus used in a CA system 



7 in Figure 2. As shown in Figure 3, at step S10, decomposing unit 102 decomposes a 

8 subset S in the complete set I into at least one secondary subset Dl, D2, . . ., Dn, and 

9 assigns different user keys Ki's to the above-mentioned secondary subsets (step S20), 

10 said each user key Ki is transmitted to all the users in the secondary subset corresponding 

1 1 to the user key. At step S30, generating unit 1 04 uses each said user key Ki to encrypt an 

12 entitlement key (MK) so as to generate each cipher text Ei (i.e. El, E2, . . ., En) 

13 corresponding to each secondary subset. At step S40, combining unit 106 combines said 

1 4 cipher text Ei to generate a media key control block MKCB= {E 1 ,E2, . . . ,En} . In addition, 

1 5 at step S50, the generated media key control block (MKCB) is output through the 

16 entitlement control device 108 and is transmitted to all the users within subset S via a 

1 7 transmitting unit. 



1 8 The video program transmitting apparatus using key distribution apparatus in Figure 

19 2 according to the present invention will be described in detail hereinafter, in which the 

20 same parts as that of the key distribution apparatus in Figure 2 are indicated with the 

2 1 same reference numerals, and the description for their same functions will be omitted for 

22 simplicity. 

23 Figure 4 is a structural diagram of the video program transmitting apparatus 100 

24 used in a CA system according to an embodiment of the present invention. 

25 As shown in Figure 4, the video program transmitting apparatus 100 comprises: a 

26 decomposing unit 102, a generating unit 104, a combining unit 106 and an entitlement 
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1 control unit 108, all of which have the same functions and structures as those of the same 

2 units shown in Figure 2. In addition, the video transmitting apparatus 100 further 

3 comprises: a program scrambling unit 1 10 for using entitlement key (MK) to scramble a 

4 source code stream (video program) from a video program generating device (not shown); 
. 5 a transmitting unit 1 12 for transmitting the scrambled video program and the media key 

6 control block to a receiving apparatus 200 (as shown in Figure 5). 

7 The video program receiving apparatus 200 according to the present invention will 

8 be described in detail with respect to the drawings. Figure 5 is a structural diagram of the 

9 video program receiving apparatus 200 in a CA system according to an embodiment of 

10 the present invention. As shown in Figure 5, the video program receiving apparatus 200 

1 1 comprises: a receiving unit 204 for receiving the scrambled video program and the media 

12 key control block transmitted from the transmitting apparatus 100; a resolving unit 202 

13 for identifying said media key block MKCB to obtain the cipher text Ei (i.e. one of El, 

14 E2, . . ., En) corresponding to the secondary subset Di to which the receiving apparatus 

1 5 200 belongs, and using the user key Ki corresponding to the secondary subset Di to 

1 6 decrypt the cipher text Ei so as to obtain an entitlement key (MK); a program 

1 7 descrambling unit 206 for decrypting the scrambled video program by using the obtained 

1 8 entitlement key (MK), and transmitting the descrambled video program to the receiving 

1 9 or playing device such as TV and etc. for reception or playback. 

20 Of course, the resolving unit 202 may also be used to manage user information, 

21 obtain the information transmitted to the user by an operator after decrypting MKCB, and 

22 send it to other devices (not shown) for archiving or other processing. 

23 Herein, for any given legal user subset S in the complete set I including all the user 

24 nodes which can be accommodated, the entitlement key (MK) in MKCB(S, MK) can and 

25 only can be decrypted by the users in subset S, and the MK is used to encrypt MPEG 
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1 video stream. Thus the users in subset S (legal paid users), after decrypting MKCB to 

2 obtain the MK, can further obtain the descrambled MPEG video stream. 

3 Another embodiment of the video transmitting apparatus according to the present 

4 invention will be described in connection with Figure 6, in which the same units as those 

5 of video transmitting units in Figure 4 are the same reference numerals, and the 

6 description of the same functions will be omitted for simplicity. Figure 6 is a structural 

7 diagram of the video program transmitting apparatus 300 used in a CA system according 

8 to another embodiment of the present invention. As shown in Figure 6, the video 

9 transmitting apparatus 300 comprises: a decomposing unit 102, a generating unit 104, a 

10 combining unit 106, an entitlement control unit 108 and a transmitting unit 1 12, all of 

1 1 which have the same functions and structures as those of the same units as shown in 

12 Figure 4 and will not be described further. In addition, the video transmitting apparatus 

13 300 further comprises: a control word encrypting unit 1 14 for, under the control of the 

14 entitlement control unit 108, using the entitlement key (MK) to encrypt a control word 

1 5 (CW) into the above-mentioned cipher text Ei. 

16 It also differs from the video transmitting apparatus 100 in that: the program 

1 7 scrambling unit 1 1 0 of the video transmitting apparatus 300 in the present embodiment is 

1 8 used to use the control word (CW) to encrypt a source code stream (video program) from 

19 a video program generating device (not shown) so as to generate the scrambled video 

20 programs. Herein, the cipher text Ei is the entitlement control message (ECM) in a CA 

21 system. Another embodiment of the video receiving apparatus in the present invention 

22 will be described hereinafter in connection with Figure 7, in which the same units as 

23 those in the video receiving apparatus 200 in Figure 5 are indicated with the same 

24 reference numerals, and the description of their same functions will be omitted for 

25 simplicity. 
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1 Figure 7 is a structural diagram of the video program receiving apparatus 400 used 

2 in a CA system according to another embodiment of the present invention. As shown in 

3 Figure 7, the video program receiving apparatus 400 comprises: a receiving unit 204, and 

4 a resolving unit 202, both of which have the same functions and structures as those of the 

5 same units as shown in Figure 5 and will not be described further. In addition, the video 

6 transmitting apparatus 300 further comprises: a control word decrypting unit 208 for 

7 using the decrypted entitlement key (MK) transmitted from the resolving unit 202 to 

8 decrypt the cipher text Ei (one of El, E2, . . ., En belonging to the user, i.e. ECM) 

9 corresponding to the receiving apparatus 400 so as to obtain said control word (CW). 

10 It also differs from the video receiving apparatus 200 in that: the program 

1 1 descrambling unit 206 of the video receiving apparatus 400 in the present embodiment 

12 uses said control word (CW) to decrypt the scrambled video program and transmits the 

13 descrambled video program to the receiving or playing device such as TV and etc. for 

14 reception or playback. 

1 5 Herein, for any given legal user subset S in the complete set I containing all user 

16 nodes which can be accommodated, the entitlement key (MK) in MKCB(S, MK) can and 

1 7 only can be decrypted by the users in subset S, and the MK is used to encrypt CW 

1 8 (control word) into the ECM (entitlement control message) while C W is used to scramble 

19 the MPEG video stream. Thus the users in subset S (legal paid users), after decrypting 

20 MKCB to obtain the MK, can obtain CW by using MK to decrypt ECM, and thereby 

21 further obtain the descrambled MPEG video stream. 

22 Examples of generating MKCB by using the binary tree algorithm 

23 The examples of generating MKCB by using n-level binary tree algorithm will be 

24 described hereinafter in connection with Figures 8 and 9. 
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1 Figure 8 shows a full binary tree with n levels. It is clear that there are 2 " -1 nodes 

2 within the tree, including 2 leaf nodes and one root node. A leaf node refers to a node 

3 without descendant nodes, i.e. the "lowermost" layer of the tree. In addition, each node 

4 can be treated as the root node of a certain sub-tree, which consists of the node itself and 

5 all its descendant nodes and is the sub-tree corresponding to the node. Let us associate 

6 every node with its corresponding sub-tree. For example, the root node is associated with 

7 the whole tree, and a leaf node is associated with a sub-tree that contains only the node 

8 itself. In Figure 8, node 1 represents the sub-tree associated with node a, and node 2 

9 represents the sub-tree associated with node v. 

1 0 As shown in Figure 8, sub-tree difference D'(u, v) is the set of sub-tree difference 

1 1 nodes. A sub-tree difference can be identified by two nodes u and v, where v is a 

12 descendant node of u. If T'(u) represents a sub-tree corresponding to node u, and T'(v) 

1 3 represents a sub-tree corresponding to node v, then the sub-tree difference D'(u, v) 

1 4 consists of all nodes that belong to the sub-tree of u but not belong to the sub-tree v. It 

15 can be treated that the sub-tree associated with node u minus the sub-tree associated with 

16 node v, i.e. D'(u, v)=T'(u)-T'(v). In Figure 8, a node 3 represents the sub-tree identified 

1 7 by sub-tree difference D'(u, v). 

18 In the algorithm of the present invention, it is assumed that the complete set I is the 

1 9 set of all leaf nodes, i.e. all the nodes in the part surrounded by a dash and dot line in 

20 Figure 8. That means, each leaf node represents a user, so the maximum number of users 

21 in this algorithm is 2 . 

22 As shown in Figure 9, given S as a subset of I, it can be proved that there exist 

23 some subset differences whose union is subset S. That is to say, S can be split to some 

24 subset differences D(u, v). Here, said subset differences D(u, v) refers to the set of all the 

25 leaf nodes in sub-tree difference D'(u, v). Figure 9 shows a split of subset S, where the 

26 subset S consists of all the marked leaf nodes. As shown in Figure 9, the subset S is a 
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1 union of each subset difference D(ui,vi), D(u 2 ,v 2 ), D(u 3 ,v 3 ) and D(u*,v 4 ), where subset 

2 differences D(u,,Vi)=T(ui)-T(vi), D(u 2 ,v 2 )=T(u 2 )-T(v 2 ), D(u 3 ,v 3 )=T(u 3 )-T(v 3 ), and 

3 D(u4 5 v 4 )=T(u4)-T(v 4 ). Here, T(u) represents a set of all leaf nodes in T'(u), T(v) represents 

4 a set of all leaf nodes in T(v). 

5 Each subset difference D(u, v) has a cipher value K(u, v) (user key) assigned 

6 thereto, this cipher value K(u, v) must be distributed to all the users in the D(u, v). To any 

7 user not belonging to the D(u, v), the cipher value K(u, v) must be unknown and 

8 incomputable. 

9 Let MKB be the union of E(K(u, v),MK), where E(K(u, v), MK) represents the 

1 0 cipher-text obtained by using K(u, v) in each subset difference D(u, v) as a user key to 

1 1 encrypt an entitlement key. Thus, this MKCB can only be decrypted by users with one of 

12 these K(u, v)s, which means that the user who can decrypt the MKCB belongs to one of 

13 these subset differences D(u, v). Since the union of these subset differences is subset S, 

1 4 only the users within S can obtain MK. 

1 5 The constitution of media key control block MKCB is described by examples 

16 hereinafter. As shown in Figure 9, assuming subset S of legal users can be split into 4 

1 7 subset differences D(ui,v,), D(u 2 ,v 2 ), D(u 3 ,v 3 ) and D(u4,v 4 ), then respectively, cipher value 

1 8 Ki should be distributed to the users in subset difference D(ui,vi), cipher value K 2 should 

19 be distributed to the users in subset difference D(u 2 ,v 2 ), cipher value K 3 should be 

20 distributed to the user in subset difference D(u 3 ,v 3 ), and cipher value should be 

21 distributed to the users in subset difference D(u 4 ,v 4 ). Furthermore, cipher-text Ei can be 

22 obtained by using the cipher value Ki to encrypt the entitlement key (MK), cipher-text E 2 

23 can be obtained by using the cipher value K 2 to encrypt the entitlement key (MK), 

24 cipher-text E 3 can be obtained by using the cipher value K 3 to encrypt the entitlement key 

25 (MK), and cipher-text E 4 can be obtained by using the cipher value K4 to encrypt the 
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1 entitlement key (MK). As can be seen from the above, media key control block 

2 MKCB={E,,E 2 ,E3,E 4 }. 

3 Thus, when the receiving apparatus of the user receives the MKCB, the information 

4 in the MKCB is filtered and identified. The identifying method can be as follows: for 

5 example, assigning respective IDs to all the cipher-text E b E 2 , E 3 and E 4 in the MKCB, or 

6 placing all the cipher-texts Ei , E 2 , E 3 and E 4 at the positions with corresponding IDs in 

7 MKCB, detecting the cipher-text with the ID corresponding to itself in the user's 

8 apparatus in each subset difference D(u, v), or detecting the cipher-text at the position 

9 with the ID corresponding to itself, so as to conduct decryption. That is, the users 

10 belonging to the subset difference D(ui, v,) detect the information containing Ei in the 

1 1 MKCB, and use the cipher value Ki they own to decrypt Ei so as to obtain the MK; the 

1 2 users belonging to the subset difference D(u 2 , v 2 ) detect the information containing E 2 in 

1 3 the MKCB, and use the cipher value K 2 they own to decrypt E 2 so as to obtain the MK; 

1 4 the users belonging to the subset difference D(u 3 , v 3 ) detect the information containing E 3 

1 5 in the MKCB, and use the cipher value K 3 they own to decrypt E 3 so as to obtain the MK; 

1 6 and the users belonging to the subset difference D(u,, v 4 ) detect the information 

1 7 containing E 4 in the MKCB, and use the cipher value I<U they own to decrypt E 4 so as to 

18 obtain the MK. 

19 It is known from the above that only those users in one of the subset differences 

20 constituting the legal user subset S can obtain the MK. 

21 The problem as to the amount of user kevs each user needs to store 

22 In a conventional method, each user must store (or may deduce) the cipher value 

23 K(u, v) (user key) corresponding to all subset differences D(u, v) containing himself in 

24 subset S. These user keys are distributed to legal users (e.g. paid users) by an operator for 

25 decrypting the MKCB, according to the present invention, broadcast by the operator, so 
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1 as to obtain the entitlement keys being necessary to watch an encrypted video program. 

2 These user keys can, for example, be stored in a smart card. 

3 It can be known through a simple calculation that, for an n-level binary tree, the 

4 number of the subset differences containing a certain leaf node is 2 n -n-l, which is of the 

5 same order of magnitude as 2 n , i.e. 0(2 n ). When n is smaller, i.e. the amount of subset 

6 differences is smaller, a direct storage method can be adopted, i.e. a method of directly 

7 storing these user keys of small amount into e.g. a smart card; and when n is quite large, 

8 the number of subset differences increases according to a geometric series and will 

9 become very large, at which time it will be very difficult to distribute or store such a large 
1 0 amount of subset differences. 



1 1 In the present invention, when n is quite large or the storage space is limited, the 

12 following method can be adopted to compress the key space: 

13 When assigning K(u, v) to each subset difference D(u, v), the following algorithm 

14 is adopted: 

15 ( 1 )if u is the parent node of v, then assign directly a random key (or adopt another 

1 6 method to deduce); 

17 (2)if u is not the parent node of v and the parent node of v is v f , then in the case of 

1 8 given K(u, v f ), K(u, v) can be computed from K(u, v f ) by using an unidirectional 

19 major function. 

20 The so-called unidirectional major function is an usual concept in encryption 

21 algorithms, which is as follows: another value can be simply computed from a value by 

22 using a certain method, but it is very difficult to deduce back from the computed value to 

23 the original value, that is, in a function y=f(x), it is easy to compute y from x because of 

24 the known function relation, but it is very difficult to compute x from y because of not 

25 knowing its inverse function relation. 
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1 It is easy to see that this is a convergent recursive algorithm. After the present 

2 invention uses such an algorithm, each user need not store K(u, v) corresponding to all 

3 the subset differences D(u, v) containing himself, because most K(u, v) can be deduced 

4 from other K(u, v)s. It is easy to check that at this time each user only needs to store 

5 n(n-l)/2 keys which is of the same order 0 f magnitude as n 2 /2, i.e. 0(n 2 /2), not of the 

6 same order of magnitude as 2 " . So the amount of user keys to be stored is greatly 

7 reduced, while it can be seen that the safety of the whole system is not reduced because of 

8 the feature of the unidirectional major function. 

9 Division of subset differences in subset S 

1 0 When a CA system is established, the capacity of users therein (i.e. the amount of 

1 1 all the leaf nodes) is definite. When a user occupies a node because of jointing the 

12 system, the position of the user is fixed for the system. All the corresponding subset 

1 3 differences of the position is also fixed with respect to the whole system. The division of 

14 all subset differences D(u, v) and their corresponding cipher values K(u, v) are stored in a 

1 5 database of the system (not shown) through corresponding programs. 

1 6 In addition, the operator distributes the cipher value K(u, v) (user key) 

1 7 corresponding to all subset differences D(u, v) containing the node to the user at the 

1 8 position of the node, e.g. in a form of smart card as described above. Thus, when a certain 

1 9 user joins or leaves subset S, the system automatically computes all subset differences 

20 D(u, v) corresponding to the situation in subset S after the user joins or leaves, and 

2 1 broadcasts to each user the media key control block (MKCB) formed by using cipher 

22 values K(u, v) in the subset differences D(u, v) to encrypt the entitlement keys (MKs). 

23 Because the user at each position has K(u, v) corresponding to each subset difference 

24 D(u, v) after the change, he can decrypt the media key control block (MKCB) without 

25 being effected to obtain the entitlement key MK. 
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1 Using MKCB method to add in and remove users 

2 In a system with unfilled capacity, there are spare nodes that are not occupied by 

3 users. If a new user joins the system, he/she will occupy one of the nodes and obtain a set 

4 of keys corresponding to the node, i.e. the user keys as described above. This procedure 

5 can be implemented by distributing practically a smart card or by broadcasting or by other 

6 means, if using a smart card, a user can insert the smart card into a suitable receiving 

7 apparatus (such as a set-top box) and wait to receive the MKCB broadcast transmitted 

8 from the operator. At this time, the subset S of legal users should be changed to S'=S+A, 

9 where A represents the node of the new user. 



1 0 When a new user joins, the division of subset differences changes. Meantime, a new 

1 1 MKCB should be generated for a new S' and MK, where MK' can be a new entitlement 

1 2 key or can be the original entitlement key (MK). When the original MKCB is replaced by 

1 3 the new MKCB, the new user joins the system successfully. 

14 In the case that a plurality of users join the system, the process is the same as the 

1 5 above process. The only difference is S '=S+A', where A' represents a set of all nodes of 

16 the new users. 

17 If a user wants to quit the system, or his/her apparatus has a secret divulged or is 

1 8 intruded illegally, the user should be removed from the system. In this case, the set S of 

1 9 all legal users should become S'=S-A, where A represents the node of the user. 

20 When a user quits the system, the division of the subset differences also changes, 

21 and a new MKCB should be generated for the new S ' and MK' , where MK' should be a 

22 new entitlement key and can not be the original entitlement key. When the new MKCB 

23 replaces the original MKCB, the user is removed successfully from the system. 
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1 In the case that a plurality of users is removed from the system, the process is the 

2 same as the above one. The only difference is S'=S-A\ where A' represents a set of all 

3 nodes of the removed users. 

4 For the users who quit the system, the system can adopt the following methods to 

5 cease their right of watching the encrypted video programs: (1) send messages for closing 

6 the MKCB receiving function of the users, and change the entitlement key (MK) in the 

7 set S of current legal users; (2) stop transmitting to the users media key control block 

8 (MKCB) containing the entitlement key (MK). 

9 For new users who just join the system, because they already have user keys K(u, v) 

1 0 corresponding to every subset difference D(u, v) at the position of the node, they can, 

1 1 after receiving the media key control block (MKCB), decrypt it so as to obtain the 

1 2 entitlement key (MK). 

1 3 In addition, a user's joining or being removed (quitting) from the system takes as a 

1 4 triggering condition whether the user performs the registration procedure (such as 

1 5 whether he has paid). The system can detect this case, automatically compute the changed 

1 6 subset difference D(u, v), and perform the transmission or the cease of the transmission of 

1 7 media key control block (MKCB). 



18 Analysis result of the sub-tree algorithm 

1 9 If set (I-S) has r nodes, i.e. the number of free leaf nodes as shown in Figure 4 is r, 

20 it can be proved through a mathematical induction that: the subset S is a union set of less 

2 1 than (2r- 1 ) subset differences. It can also be computed through a probability statistics 

22 formula that, on average, the expectation number of subset differences increases by 21n2, 

23 i.e. about 1 .38, when r increases by 1 . Therefore the average value of the number of the 

24 subset differences is about 2rln2, i.e. 1 .38r. If r is large, the expectation value will 

25 decrease. It can be seen from the example in Figure 5 that r= 1 1 , and the number of the 



Docket Number CN920020006US1 



1 subset differences that subset S can be divided into is at most 2 1 , complying with the 

2 above formula 2x1 1-1=21. 

3 If the subset S has m nodes, then the subset differences needed by the subset S can 

4 not be more than m, because each subset difference can cover at least one node. In 

5 general, the estimation can be greatly reduced, since each subset difference can cover a lot 

6 of nodes. It indicates that the present method can not be worse than encrypting and 

7 transmitting information node by node even in the worst case. 

8 In addition, in the method of the present invention, the coverage of subset S is 

9 accomplished by using subset differences D(u, v), in which manner the number of subset 

1 0 differences in most cases will be relatively small. But the present invention is not limited 

1 1 to this, and other methods can be adopted, such as using subset T(u) directly for coverage. 

1 2 An advantage of directly using subset for coverage is that the number of user keys 

1 3 Which a user needs to store is relatively small, and each user needs only to store n keys. 

1 4 But its defect is also very obvious, for example, when only one user needs to be removed, 

1 5 the whole binary tree will be divided into n- 1 subsets, the cost of which is that this 

1 6 number is greatly large with respect to subset difference coverage (in this case, only one 

1 7 subset difference is necessary). 

1 8 The present invention can also consider general tree structures which are not only 

1 9 the binary tree but also a ternary tree or a multiple tree. In general tree structures, the 

20 method of direct subset coverage as well as subset difference coverage can also be 

21 considered. 

22 In addition, the present invention is not limited to the method of using a sub-tree, 

23 other methods can also be adopted to implement the hierarchical grouping of users in the 

24 present invention and make the condition of the grouping practically changed along with 

25 the increase or reduction of efficient users, so as to reduce the length of the message 

26 contained in MKCB. 
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1 Advantages of MKCB method 

2 Compared with the conventional CA system, MKCB method has two main 

3 advantages: Firstly, according to the sub-tree algorithm, the length of MKCB is made 

4 greatly shorter than that of conventional EMM. The length of MKCB depends on the 

5 number of subset differences in the division of subset S. In the case that a few users are 

6 removed from the system or the tree structure of subset S is very "clean" (i.e. the node 

7 positions in the tree structure is relatively concentrated and tidy)", the length of MKCB 

8 becomes greatly shorter than that of conventional linear EMM, while the length of the 

9 conventional linear EMM is linearly proportional to the number of the users. The shorter 

1 0 MKCB can be realized, the more bandwidth can be saved. 

1 1 Secondly, in the conventional CA system, the removal of some users will make the 

1 2 other users in the same group changed to those of a new group(s), wherein it is extremely 

1 3 important to ensure the other users to correctly change their group(s). But in order to 

1 4 achieve the object, it takes a lot of bandwidth to encrypt the information to be 

1 5 transmitted. In the present invention, because MKCB is very short, its broadcast and 

1 6 distribution time and form is very flexible, and when some users are removed from the 

1 7 system, the other users need not to be changed to a new group(s), thereby bringing about 

1 8 very little effect to the Other users. 

1 9 While the embodiment of the present invention has been described in detail, it will 

20 be understood by those skilled in the art that various changes may be made therein 

2 1 without departing from the spirit and scope of the invention as defined by the appended 

22 claims. 

23 Variations described for the present invention can be realized in any combination 

24 desirable for each particular application. Thus particular limitations, and/or embodiment 

25 enhancements described herein, which may have particular advantages to a particular 
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1 application need not be used for all applications. Also, not all limitations need be 

2 implemented in methods, systems and/or apparatus including one or more concepts of the 

3 present invention. 

4 . The present invention can be realized in hardware, software, or a combination of 

5 hardware and software. A visualization tool according to the present invention can be 

6 realized in a centralized fashion in one computer system, or in a distributed fashion where 

7 different elements are spread across several interconnected computer systems. Any kind 

8 of computer system - or other apparatus adapted for carrying out the methods and/or 

9 functions described herein - is suitable. A typical combination of hardware and software 

10 could be a general purpose computer system with a computer program that, when being 

1 1 loaded and executed, controls the computer system such that it carries out the methods 

12 described herein. The present invention can also be embedded in a computer program 

1 3 product, which comprises all the features enabling the implementation of the methods 

14 described herein, and which - when loaded in a computer system - is able to carry out 

15 these methods. 

16 Computer program means or computer program in the present context include any 

17 expression, in any language, code or notation, of a set of instructions intended to cause a 

1 8 system having an information processing capability to perform a particular function 

1 9 either directly or after conversion to another language, code or notation, and/or 

20 reproduction in a different material form. 

21 Thus the invention includes an article of manufacture which comprises a computer 

22 usable medium having computer readable program code means embodied therein for 

23 causing a function described above. The computer readable program code means in the 

24 article of manufacture comprises computer readable program code means for causing a 

25 computer to effect the steps of a method of this invention. Similarly, the present 

26 invention may be implemented as a computer program product comprising a computer 
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1 usable medium having computer readable program code means embodied therein for 

2 causing a a function described above. The computer readable program code means in the 

3 computer program product comprising computer readable program code means for 

4 causing a computer to effect one or more functions of this invention. Furthermore, the 

5 present invention may be implemented as a program storage device readable by machine, 

6 tangibly embodying a program of instructions executable by the machine to perform 

7 method steps for causing one or more functions of this invention. 

8 It is noted that the foregoing has outlined some of the more pertinent objects and 

9 embodiments of the present invention. This invention may be used for many 

1 0 applications. Thus, although the description is made for particular arrangements and 

1 1 methods, the intent and concept of the invention is suitable and applicable to other 

1 2 arrangements and applications. It will be clear to those skilled in the art that 

1 3 modifications to the disclosed embodiments can be effected without departing from the 

1 4 spirit and scope of the invention. The described embodiments ought to be construed to 

15 be merely illustrative of some of the more prominent features and applications of the 

1 6 invention. Other beneficial results can be realized by applying the disclosed invention in 

1 7 a different manner or modifying the invention in ways known to those familiar with the 

18 art. 
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